ClearFoundation Tracker - ClearOS
View Issue Details
IDProjectCategoryView StatusDate SubmittedLast Update
0000034ClearOSapp-intrusion-prevention - Intrusion Preventionpublic2010-02-25 05:482010-06-17 15:19
Reportertimb80 
Assigned Touser2 
PrioritynormalSeveritymajorReproducibilitysometimes
StatusclosedResolutionfixed 
PlatformOSOS Version
Product Version5.1 
Target VersionFixed in Version5.1 
Summary0000034: Snortsam does not always block hosts in a timely manner
DescriptionThis one is hard to reproduce, after the WAN has been down for an extended time, snortsam will sometimes fail to restart, and will lay dead without warning (besides checking the webconfig manually). Not the problem but maybe related

Only snort is automatically restarted on detection of WAN

On manual restart (snortsam after snort) snortsam will log blocks correctly, however nothing will be passed to iptables
2010/02/25, 11:52:14, 127.0.0.1, 2, snortsam, Blocking host 4.79.142.206 completely for 86400 seconds (Sig_ID: 524).

[root@starlane ~]# iptables -L -n -v | grep 4.79
..nothing

At a similar time snortsam also complains that (/var/log/snortsam) it is not in sync with Snort, however acceptance of block from Snort indicates this isn't the problem
snortsam, Snort station 127.0.0.1 using wrong password, trying to re-sync.

On closer inspection it appears that the iptables entry is completely removed from /etc/snortsam.conf
# IP Tables plug-in:
# You have to specify the adapter to block on (for example, eth0) and you can
# optionally add a logging option.
[BLANK LINE]

Manually adding the following back and restarting snortsam fixes the problem, and iptables rules are recreated:-
iptables eth1 syslog.info

It is not clear which functions or network situations of the webconfig cause this line to be removed or readded. Or whether if left long enough it would eventually block the host - I have waited >5-10mins

This has happened on maybe 2-3 occasions sporadically




Steps To Reproduce
Additional Information
TagsNo tags attached.
Relationships
Attached Files
Issue History
Date ModifiedUsernameFieldChange
2010-02-25 05:48timb80New Issue
2010-02-26 08:56user2Statusnew => acknowledged
2010-04-13 03:52timb80Note Added: 0000079
2010-06-08 14:34user2Note Added: 0000168
2010-06-08 14:35user2Statusacknowledged => resolved
2010-06-08 14:35user2Fixed in Version => 5.1
2010-06-08 14:35user2Resolutionopen => fixed
2010-06-08 14:35user2Assigned To => user2
2010-06-08 14:38user2Note Added: 0000169
2010-06-17 15:19user2Note Added: 0000185
2010-06-17 15:19user2Statusresolved => closed

Notes
(0000079)
timb80   
2010-04-13 03:52   
This happened again today - Snort was restarted (after some configuration with local.rules) and the iptables line was noticed as missing from /etc/snortsam.conf
'iptables eth1 syslog.info'

The webconfig continues to think it is blocking hosts, and so does snortsam - this is bad.

2010/04/13, 10:47:10, 127.0.0.1, 2, snortsam, Blocking host 4.79.142.206 completely for 86400 seconds (Sig_ID: 524).
2010/04/13, 10:47:29, 127.0.0.1, 2, snortsam, Extending block for host 4.79.142.206 completely for 86400 seconds (Sig_ID: 524).

But no entries appear in the actual firewall (not surprisingly). However both the user and webconfig are completely unaware

[root@starlane ~]# iptables -L -n -v | grep 4.79
[root@starlane ~]#

I suggest that Snortsam should not be able to start without a valid iptables plugin in the config?
(0000168)
user2   
2010-06-08 14:34   
Fixed. The init script would only implant an "iptables" directive if an external interface was active. That's not good.

http://code.clearfoundation.com/svn/revision.php?repname=ClarkConnect&path=/&rev=4069&peg=4069 [^]
(0000169)
user2   
2010-06-08 14:38   
There will be an errata available shortly. Look out for snort-2.8.4.1-3.1.v5.i386.rpm in the yum repos.
(0000185)
user2   
2010-06-17 15:19   
Errata update: CCBA-2010:057
http://clearsdn.clearcenter.com/software/detail.php?aid=57 [^]